On Mon, Dec 26, 2011 at 11:38:10AM +0100, Iustin Pop wrote: > On Sun, Dec 25, 2011 at 12:08:57PM +0000, Philipp Kern wrote: > > On 2011-12-25, Stephan Seitz <stse+deb...@fsing.rootsland.net> wrote: > > > All admins I know have at least some servers with custom kernels (in the > > > past it was said, to build your firewall/server kernels without module > > > support, so that no rootkit module could be loaded). > > No longer needed. See /proc/sys/kernel/modules_disabled. > That's not equivalent - an attacker that can load modules can also > remove the init script that sets this variable to 1 and reboot the > machine. > > For proper safeguarding you still want no module support in the kernel > at all.
Sorry, but what kind of argumentation is that? If the admin doesn't notice reboots and/or file tampering, I could just replace the kernel with my modified one and reboot. Now of course you could increase your paranoia and boot the kernel from an immutable disc. But then I'd just load all relevant modules in the initramfs and set modules_disabled there instead of doing custom built kernels just to get rid of modules. Kind regards Philipp Kern
signature.asc
Description: Digital signature
